ClearBlue
|
Public Types | |
enum | SiteType { ST_Return = 1 << 0, ST_Call = 1 << 1, ST_Sink = 1 << 2, ST_Others = 1 << 3 } |
enum | VulnerabilityCategoryType { VCT_Begin, VCT_SinkMustReach, VCT_SinkMustNotReach, VCT_Taint, VCT_End } |
typedef std::pair< const SEGOperandNode *, const SEGSiteBase * > | ValueSitePairType |
Public Member Functions | |
virtual void | setSources (const SymbolicExprGraph *SEG, std::vector< ValueSitePairType > &Sources)=0 |
virtual void | setPrerequisites (SymbolicExprGraphSolver *Solver, const SEGSiteBase *CurrSite, const VulnerabilityTraceBuilder &TraceHistory, SMTExprVec &Prerequisites)=0 |
virtual bool | checkNode (const SEGNodeBase *CurrNode, const VulnerabilityTraceBuilder &TraceHistory) |
virtual bool | finalCheck (const VulnerabilityTraceBuilder &TraceHistory) |
virtual void | ConstantCheck (const SymbolicExprGraph *SEG, std::list< shared_ptr< VulnerabilityTrace >> &AllTraces) |
virtual bool | isFlowInsensitive () |
virtual SiteType | checkSite (const SEGSiteBase *CurrSite, const VulnerabilityTraceBuilder &TraceHistory)=0 |
virtual bool | checkTrace (std::shared_ptr< VulnerabilityTrace > &Trace) |
VulnerabilityCategoryType | getCategoryType () const |
bool | isParasitical () const |
void | setParasitical (bool B) |
const char * | getDescription () |
Return the description of the vulnerability. | |
BugDescription::BugImportance | getImportance () const |
BugDescription::BugClassification | getClassification () const |
const char * | getName () |
Return the name of the vulnerability. | |
virtual PSAReportDecoratorDefault * | allocNewDecorator () |
virtual void | destroyDecorator (PSAReportDecoratorDefault *decorator) |
virtual void | getAnalysisUsage (AnalysisUsage &AU) |
virtual void | initializeAnalysis (Pass *P) |
typedef std::pair<const SEGOperandNode *, const SEGSiteBase *> Vulnerability::ValueSitePairType |
This type describes a value is used or defined at some site. For a constant value that does not need to be defined, use nullptr as the definition site.
The type of a use site for a vulnerability Others: an insensitive use site Return: the use site is a return inst Call: the use site is a call inst Sink: the use site is the sink of the source-sink style vulnerability
For a call site (or return site), if you regard it as a sink of a vulnerability, you should mark it as ST_Sink. If you expect to continue inter-procedural analysis from the call site (or return site), it should be marked as ST_Call (or ST_Return). If both, return ST_Call (or ST_Return) | ST_Sink.
It describes the types of source-sink style vulnerability.
VCT_SinkMustReach: given a fresh value as source, if there exist some path, the source does not reach a sink, it will be a vulnerability. Here a fresh value includes constant value, the return value of a library call or an alloca instruction, etc.
VCT_SinkMustNotReach: given a fresh value as source, if the source reaches a sink along certain path, it will be considered as a vulnerability.
VCT_Taint: It is similar to VCT_SinkMustNotReach, but the source is not required as a fresh value. Besides, if a pointer, e.g. ptr, is regarded as a source, *ptr will also be regarded as a source.
|
inlinevirtual |
Checking if the node CurrNode
can flow to a sink site along the value flow.
TraceHistory
represents the trace history just before reaching CurrNode
.
Users can implement some analysis, which can be loaded using Vulnerability::getAnalysisUsage and Vulnerability::initializeAnalysis, to help check if some nodes cannot trigger the vulnerability so that the checking process can speed up.
|
pure virtual |
Checking the type of CurrSite
, given the trace history TraceHistory
, which represents the trace just before reaching CurrSite
.
Implemented in SailFishVulnerability.
|
inlinevirtual |
Checking each node of the whole possibly vulnerable trace Trace
to verify if the source to sink is valid.
|
inlinevirtual |
Used to handle non-pointer type global variables. PSAChecker doesn't regard non-pointer type global variables as source or sink. Therefore, this API is used to handle global variables. And also this should be the handling of constants, such as 1,2,3,0x1234567,&g, etc. , not simply GVs, We check the function based the argument SEG
. Then construct vulnerability traces and add them to argument ALLTraces
.
|
inlinevirtual |
given a final trace, check whether the trace itself meet additional requirement. e.g., in data race checker: itReturn MHP relation if the vulnerability is a concurrent problem. Return true otherwise.
|
inlinevirtual |
LLVM Analysis can be declared here.
Using AnalysisUsage::addRequired() to declare what analysis will be used. All required analysis is preserved in default. Extra AnalysisUsage::addPreserved() or AnalysisUsage::setPreservesAll() are not necessary.
|
inlinevirtual |
Initializing the analysis here using P
. You can declare a class member field, e.g.,
and in the function, you can initialize it as
|
inlinevirtual |
This is used to handle vulnerabilities do not require reachability info in TaintFunctionChecker. However, we should check reachability in concrete checkers (e.g., DataRace) unless the vulnerability is not flow insensitive. In fact, this function only returns true or false to ignore the result of Parent->CRA->isReachable. e.g., data race checker set all write as source and read/write as sink, then write/read pair should not use reachability info, otherwise may be half of them are ignored.
|
inline |
It returns true if the vulnerability cannot exist independently. In other words, it must exist in a multi-vulnerability.
|
pure virtual |
This function defines the prerequisite of this vulnerability, given the trace history and current use site.
For example, for Null Pointer Dereference, the prerequisite is the dereference pointer should be nullptr, otherwise Null Pointer Dereference cannot happen. Thus, this function should add Solver->getOrInsertExpr
(TraceHistory.recentObjAs<SEGNodeBase>()) == 0 to Prerequisites
; here, nullptr is modeled as 0.
Users can implement an empty function, if there is no prerequisite.
Implemented in SailFishVulnerability.
|
pure virtual |
Collecting a list of source nodes and corresponding source sites If the source site is null, it means it starts at the very beginning of the function.
Users should override the function, and collecting sources into Sources
Implemented in SailFishVulnerability.